CVE-2016-5419

Опубликовано: 03 авг. 2016

Источник: redhat

CVSS3: 4.8

CVSS2: 5.8

EPSS Низкий

Описание

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
.NET Core 1.0 on Red Hat Enterprise Linux	rh-dotnetcore10-curl	Out of support scope
.NET Core 1.1 on Red Hat Enterprise Linux	rh-dotnetcore11-curl	Out of support scope
.NET Core 2.0 on Red Hat Enterprise Linux	rh-dotnet20-curl	Out of support scope
.NET Core 2.1 on Red Hat Enterprise Linux	rh-dotnet21-curl	Will not fix
Red Hat Enterprise Linux 5	curl	Will not fix
Red Hat Enterprise Linux 6	curl	Will not fix
Red Hat Enterprise Virtualization 3	mingw-virt-viewer	Will not fix
Red Hat JBoss Enterprise Web Server 3	curl	Affected
Red Hat Enterprise Linux 7	curl	Fixed	RHSA-2016:2575	03.11.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6	httpd24-curl	Fixed	RHSA-2018:3558	13.11.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=1362183curl: TLS session resumption client cert bypass

EPSS

Процентиль: 83%

0.02128

Низкий

4.8 Medium

CVSS3

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2016-5419

CVSS3: 7.5

ubuntu

около 9 лет назад

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

CVE-2016-5419

CVSS3: 7.5

nvd

около 9 лет назад

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

CVE-2016-5419

CVSS3: 7.5

debian

около 9 лет назад

curl and libcurl before 7.50.1 do not prevent TLS session resumption w ...

GHSA-j5mq-cppw-g9w7

CVSS3: 7.5

github

больше 3 лет назад

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

SUSE-SU-2016:2449-1

suse-cvrf

почти 9 лет назад

Security update for curl

EPSS

Процентиль: 83%

0.02128

Низкий

4.8 Medium

CVSS3

5.8 Medium

CVSS2